GHSA-wxgw-qj99-44c2
ADVISORY - githubSummary
Impact
forge.util.setPath
had a potential prototype pollution issue if called with untrusted keys. This API was not used by forge itself.
Patches
The forge.util.setPath
API and related functions were removed in 0.10.0.
Workarounds
Don't call forge.util.setPath
directly or indirectly with untrusted keys.
References
- https://security.snyk.io/vuln/SNYK-JS-NODEFORGE-598677
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
For more information
If you have any questions or comments about this advisory:
- Open an issue in forge.
- Email us at support@digitalbazaar.com.
Common Weakness Enumeration (CWE)
ADVISORY - gitlab
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in